SSSD CIFS plugin

Summary

During the F20 development cycle, the SSSD will provide an ID-mapping
plugin for cifs-utils so that Windows SIDs can be mapped onto POSIX IDs
and/or names without requiring Winbind and using the same code as the SSSD uses
for identity information.

Current status

Detailed Description

When working with files on a CIFS share, mapping between Windows SIDs and POSIX IDs might be required in some situations like modifying the ACLs. In recent versions, the cifs-util package
introduced a plugin interface that allows different libraries to handle the ID mapping. Currently only Winbind provides such plugin (see file idmapwb.c in cifs-utils tree). The goal of this
change is to provide a similar plugin using SSSD's ID mapping library so that the same method of ID mapping is used and Winbind is not required at all. The upstream design page that includes
deeper technical details can be found in the SSSD Trac . The progress of the work can also be tracked in the
upstream ticket #1534.

Benefit to Fedora

Fedora already defaults to configuring the SSSD to access identity
information from Windows servers via realmd and Enterprise Login
support. Using the same software for ID mapping when accessing CIFS shares
makes sense from both correctness point of view (the same method would be
used to convert SID to ID or names) and reducing the dependency footprint.

Scope

The SSSD would provide a plugin for the cifs-utils package as described in the upstream design page. The cifs-utils package
would then switch to using the SSSD plugin instead of the one provided by Winbind. The change on the cifs-utils side should amount to changing a symlink.

Proposal owners:

SSSD needs to create a plugin that matches the interface used by cifs-utils.

This plugin would be packaged as a separate subpackage

Other developers:

The cifs-utils package would switch to managing which ID mapping plugin it uses with the use of alternatives (rhbz #984088)

Release engineering:

No mass rebuild would be required.

The cifs-utils package would Require the new SSSD plugin and indirectly its dependencies which would be primarily the libsss_idmap library

Policies and guidelines:

No new policy guidelies

Upgrade/compatibility impact

No existing functionality should be lost. Resolving SIDs to IDs and names should work as it used to.

Testing with cifsacl option to mount.cifs

If the cifsacl mount option is used the cifs kernel module will call
cifs.idmap to translate the Windows SIDs into the corresponding UIDs/GIDs
of the client system so that the ownership of the files in the mounted
file system is not mapped to the user how mounted the file system, but
corresponds to the owning user and group of the Windows domain.